Anti-RootKit Software - Your Favorite?

[jpcummins]

Given the choice of AVG Anti-Rootkit or RootKitRevealer, based on your experience, which one would be your choice. I am using both occasionally but to date AVG is finding nothing while RKR is. This is becoming a bit disconcerting to me. May mean absolutely nothing but I am doubtful. Unfortunately, RKR does not have a manual or guide that helps us, with little experience, to determine what the log is telling us. Fortunately, RKR has a forum for people with little experience and knowledge to seek help from those with this knowledge. I have heard good things about both GMER and Sophos but they both confuse me. And, believe me it doesn't take much to do that. As always I thank you for all your replies.

[Rmus]

Quote:

Originally Posted by jpcummins

AVG is finding nothing while RKR is.

Are these tests you are running, or real exploits you have been hit with?


----
rich

[Meriadoc]

Quote:

AVG is finding nothing while RKR is.

Did you check out the stickies at Sysinternals Forums before you posted there?

Personal recommendation is to look from outside of Windows.

[Old Monk]

Hi

In my limited experience, you have to be a bit careful of anti-rootkit software detectors. Touch nothing while it's scanning for one. Some are very, very sensitive to other software that's hooking the kernel.

[Tarq57]

jpc, I'm probably in a similar sort of knowledge area. I've tried Icesword, AVG ARK, Rootkit Revealer, and Sophos. Don't know enough about them- the programs or rootkits in general- to confidently interpret the results.
So I don't.
While learning, the Sysinternals forum proved helpful, and was able to relegate the 2 entries I had to FP's.
My impression of the AVG tool is that it's for the average user, and that RKR is a bit more advanced. Ditto Icesword, and GMER.
My feeling, based on a little reading here and around the W, is that anything designed by Mark Russinovich is likely to be a fairly superior product.

[jpcummins]

I should of been more exact in my original posting. What started this is that I had scanned my system with ThreatFire and it detected 2 registry items. I followed that scan with RKR and it found the 2 registry items found by ThreatFire plus 5 others. I then looked with Regedit at the entries found by ThreatFire and RKR and did not see anything suspicious, at least not in my mind. But not relying on my rather limited knowledge I posted the entries found by the two programs to the RKR forum. I received a reply by one of the moderators that addressed each entry and I was told that I had no reason for concern. After all of this I didn't understand why AVG AntiRootKit never detected anything. Either AVG AntiRootKit is such a good program it knew there was not a problem with the entries or perhaps it should of detected the entries and didn't. I just was afraid I was placing too much confidence in the program. Other RootKit postings I have seen has mentioned Sophos, GMER, RootKitRevealer and I believe one or two others but I don't recall seeing AVG AntiRootKit. I guess my question is should I or should I not rely on AVG AntiRootKit? Most likely this is not a yes or no question.

[the Tester]

I would prefer RKR.Especially if their forum has been helpful.
AVG's antirootkit is probably similar to antirootkits from av vendors,designed for ease of use.Don't know about effectiveness though.

I had a site bookmarked that had reviews for antirootkit scanners as well as download links for many scanners.Don't have it anymore and can't find it on a Google Search.

[SystemJunkie]

Quote:

is that anything designed by Mark Russinovich is likely to be a fairly superior product.

Nearly all, Rootkit Revealer is really outdated and tends to mass fp´s.

Quote:

I have heard good things about both GMER

Yes and you should use it because it is actually nr.1.

[Tarq57]

Quote:

I had a site bookmarked that had reviews for antirootkit scanners as well as download links for many scanners.Don't have it anymore and can't find it on a Google Search.

This one?

Quote:

Quote:
I have heard good things about both GMER
Yes and you should use it because it is actually nr.1.

Thanks for the advice.It's one of those applications downloaded a while back that I hadn't followed up on. Now found the online FAQ/help form, let the learning begin!

[Mrkvonic]

Hello,
Any bootable CD, rootkitty.
Mrk

[SystemJunkie]

@Targ: cool link collection

[jfd15]

any word on Rootkit Unhooker?


i thought this used to be the best, dont know what happened, bought out or something...

[fcukdat]

Quote:

Originally Posted by jfd15

any word on Rootkit Unhooker?


i thought this used to be the best, dont know what happened, bought out or something...

Discontinued

[dawgg]

IceSword's my personal favorite
... although I haven't had much experience with many rootkits, but I've found it far quicker to remove active rootkits using IceSword than using other tools (in my experience)

[Diver]

Personally I prefer Sony. Buy the music and they throw in the root kit for free.

[Maksman]

AKR 2.007 from safe-protect for me, not famous, but very useful..

[jfd15]

Quote:

Originally Posted by fcukdat

Discontinued

come on, they just quit?? no big payday? thats lousy...

[G1111]

Quote:

Originally Posted by jfd15

come on, they just quit?? no big payday? thats lousy...

See December 23, 2007 blog at:
http://www.antirootkit.com/blog/

[jfd15]

Quote:

Originally Posted by G1111

See December 23, 2007 blog at:
http://www.antirootkit.com/blog/

thats great...i read some blogger a while back who was trying to say RKU developers were crooked, glad to see thats not true....hope they making a ton of $$$ from Microsoft...that EP_XOFF mentions EASTER and fcukdat for thanks on his site, so there are some people on here who app. really know their stuff

[Rasheed187]

Personally I don´t really have a favorite, but I keep hearing that RkU, IceSword and GMER, are the best. I only use them when my system is acting weirdly and I start to get all paranoid again.

Quote:

Personally I prefer Sony. Buy the music and they throw in the root kit for free.

I see that the topic title has changed, good point.

[SystemJunkie]

Quote:

any word on Rootkit Unhooker?

Out-of-Date and not finished but still a nice tool of a unique kind, except those massive bsods that can happen.

Some final words to the notorious aggressiveness that RkU Authors had against Gmer (and now they playing down the whole story to distort the truth (remember the sheep and wolf story, first the wolves and suddenly the sheeps?)): One attacks only the one, who owns the ball. So Gmer they only raised the hat to you. I also say "chapeau" for the last revelation of stealth mbr, that is the right direction.

If you get directly/massively attacked no matter in what way then this is a sign that you must be damn good
or/and you must have revealed something deeply hidden that wasn´t intended to be found. (or maybe you woke up a beast from a deep sleep because you brought some rays of light into its darkness;-))

[egghead]

Quote:

Originally Posted by jfd15

any word on Rootkit Unhooker?


i thought this used to be the best, dont know what happened, bought out or something...

It is sold to Microsoft & the development team is going to work for billyboy.

There’s nothing that money can’t buy

[SystemJunkie]

Quote:

based on your experience, which one would be your choice.

I show you the toplist based on usefulness, removal and information if system is infected:
(vs ads rootkit, vs fu rootkit, vs fu+hidden)

1. Gmer
2. Radix
3. RkUnhooker
------------------------
4. IceSword
5. McAfee RkDetector
6. AVG
7. Sophos
8. A Tools
9. NIAP Rootkit Detect
10. Blacklight
11. Avira
12. Trend Micro
13. Sysprot
14. Helios
15. Panda
16. RkRevealer

Corrections: 4 tools capable of removing ads streams. IceSword belongs to the top 4.

[fcukdat]

Quote:

Originally Posted by SystemJunkie

Only 3 tools capable of removing ads streams. A shame otherwise IceSword would be nr.3.

IceSword can whack ADS

Rustock B used for illustration purposes.

Main IceSword GUI select file option.left click on local disk(C: ) to highlight and the right click and select *Enum ADS(include subdir)* option.
Next if you get a suspicious ADS entry you highlight and select copy to bring the binary out of ADS for inspection or alternatively if it is a known badboy then highlight the line and delete

[egghead]

just found this one:

http://www.anti-malware-test.com/?q=taxonomy/term/7

anti-malware-test = independent testers at the Russian portal for IT security